[opensuse] Re: [opensuse-security] Need help with SuSE 9.3 and /var/log/auth.log
On Tuesday 29 May 2007, Andreas wrote:
Hi, sorry for not using english in the other post.
I've got an old SuSE 9.3 system that serves as a firewall/router/samba for a small office. I use ssh for maintenance. Recently I learned that on other systems there is a /var/log/auth.log that logs who is coming in. This files doesn't exist on my system and I couldn't find an entry in the 2 files in /etc/syslog-ng. Could someone give me a hint how to set this auth.log up? I have to admit that I'm not really hot with this setup stuff that goes beyond yast.
I don't think 9.3 uses syslog-ng just the old syslog. Therefore /var/log/messages would be the place to look for messages about "who is coming in" (whatever that might mean). You could type "last" as root and see the list of logins. -- _____________________________________ John Andersen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2007-05-29 19:29, John Andersen wrote:
<snip>
I don't think 9.3 uses syslog-ng just the old syslog.
I can't recall which is the default, but syslog-ng is included -- it's been running here since installation, because I never could figure out how to configure syslogd. -- Hypocrisy is the homage vice pays to virtue. -- François de La Rochefoucauld -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Darryl Gregorash wrote:
On 2007-05-29 19:29, John Andersen wrote:
<snip>
I don't think 9.3 uses syslog-ng just the old syslog.
I can't recall which is the default, but syslog-ng is included -- it's been running here since installation, because I never could figure out how to configure syslogd.
The old syslog is still the default for reasons that escape me. Regards, -- Jos van Kan registered Linux user #152704 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2007-05-31 02:15, Jos van Kan wrote:
Darryl Gregorash wrote:
On 2007-05-29 19:29, John Andersen wrote:
<snip>
I don't think 9.3 uses syslog-ng just the old syslog.
I can't recall which is the default, but syslog-ng is included -- it's been running here since installation, because I never could figure out how to configure syslogd.
The old syslog is still the default for reasons that escape me. Do you mean even in 10.2?? We need to find the maintainer for that and slap him on the head :-)
The only problem I ever had with syslog-ng's default setup went away because I discovered a cron feature I thought was not available to an ordinary user. However, without that feature, it still would have been very easy to resolve the problem within syslog-ng, just by creating a new filter and excluding my filter from another filter. With syslogd, I think getting rid of all those log entries might well be next to impossible. I do not even understand why syslogd is even still included in the distribution, unless it is for die-hard admins who think anything that can be understood by ordinary folk is evil :-) -- Hypocrisy is the homage vice pays to virtue. -- François de La Rochefoucauld -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 31 May 2007, Darryl Gregorash wrote:
The old syslog is still the default for reasons that escape me.
Do you mean even in 10.2?? We need to find the maintainer for that and slap him on the head :-)
No, not in 10.2. I was pleasantly surprised to to see syslog-ng as default in 10.2. Surprised because net-filter messages seemingly fell off the face of the earth - I was still expecting them in /var/log/messages rather than /var/log/firewall. I think at the time 9.3 was released syslog-ng was not considered ready for prime time or something. -- _____________________________________ John Andersen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2007-05-31 at 09:21 -0600, Darryl Gregorash wrote:
I do not even understand why syslogd is even still included in the distribution, unless it is for die-hard admins who think anything that can be understood by ordinary folk is evil :-)
Probably because syslogd is more tested and reliable. The ng one still has some bugs, and even missing features. Even so, I prefer the ng one. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGX+VctTMYHG2NR9URAtzrAJ9KaIkIk4XeIHwPxxuxKZFztq8SfACfSNio wtnnAGOhC3OTXwBdX0jbE4s= =rcAQ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2007-06-01 03:22, Carlos E. R. wrote:
The Thursday 2007-05-31 at 09:21 -0600, Darryl Gregorash wrote:
I do not even understand why syslogd is even still included in the distribution, unless it is for die-hard admins who think anything that can be understood by ordinary folk is evil :-)
Probably because syslogd is more tested and reliable. The ng one still has some bugs, and even missing features.
Which version is in 10.2? Go to the syslog-ng homepage, current version is 2.0. I'm not sure which features might be missing, syslog-ng doesn't encrypt or compress a log file. I suppose encryption would be important for any separate log file for facility authpriv. Does syslogd support file encryption?
Even so, I prefer the ng one.
So do I, by a large margin. -- Hypocrisy is the homage vice pays to virtue. -- François de La Rochefoucauld -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2007-06-01 at 03:50 -0600, Darryl Gregorash wrote:
some bugs, and even missing features. Which version is in 10.2? Go to the syslog-ng homepage, current version is 2.0.
syslog-ng-1.6.11-23 And I ain't updating, too basic.
I'm not sure which features might be missing, syslog-ng doesn't encrypt or compress a log file. I suppose encryption would be important for any separate log file for facility authpriv. Does syslogd support file encryption?
Dunno. Not implemented documented features: mark(n) The number of seconds between two MARK lines. NOTE: not implemented yet. Bugs: the one I reported today. Worse is that to find a parse error in the config file is awfully difficult, the error messages do not point to the exact culprit. No parsing help tools. A parse error may mean no daemon loaded.
Even so, I prefer the ng one. So do I, by a large margin.
So do I, but I tremble when thinking of a change. I once had to fight one for days. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGX/IptTMYHG2NR9URAtotAJ9tYhgthz4av9VkEYzHiiAbwP2xoQCeIDXx cwRpS4aKmQbYEiPFzCkgzDk= =07bB -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2007-05-29 19:29, John Andersen wrote:
I don't think 9.3 uses syslog-ng just the old syslog.
I am pretty sure the default syslogd configuration logs authpriv to a separate file, therefore the OP is very probably running syslog-ng on that system. For completion on this list, here is my reply on opensuse-security:
Those other systems are probably using the syslogd daemon, which is the default. Syslog-ng is significantly better, so I don't know why it isn't the default.
By default, all these log messages are going to /var/log/messages. You need to create a new filter and destination in /etc/syslog-ng.conf.in for messages from facility "authpriv", run (as root) "/sbin/SuSEconfig --module syslog-ng" (this will create the .conf file from your changed .conf.in file -- note that 10.0 and later no longer use the .conf.in file), then "rcsyslog reload" (force syslog-ng to re-read its configuration file).
The following will log everything on facility authpriv to /var/log/auth.log:
filter f_authpriv { facility(authpriv); }; destination authpriv { file("/var/log/auth.log"); }; log {source(src); filter(f_authpriv), destination(authpriv); };
By default, /var/log/auth.log will be created with owner:group as root:root and permissions 0600, so security should not be an issue. If you wish group root to be able to read the file also, then change the "destination" line above to read:
destination authpriv { file("/var/log/auth.log" perm(0660)); };
The messages will still be logged to /var/log/messages. If you don't want them in there, you also need to change this line:
filter f_messages { not facility(news, mail) and not filter(f_iptables); };
to read
filter f_messages { not facility(news, mail) and not filter(f_iptables) and not filter(f_authpriv); }; Phillipe Vogel replied to this with a suggestion to logrotate, so the file doesn't become too large:
To avoid unreadable long logfiles editing logrotate service to rotate your logs in fixed periods, like monthly.
To proceed add this extra lines to /etc/logrotate.conf:
/var/log/auth.log { monthly create 0660 root root rotate 1 }
It will created a auth.log.<date> after each logrotate call with the same permissions like above.
Logrotate should be done via a crond-job so afaik you need not to restart the service as crond calls the script itself.
I replied with some comments that on a very busy system, a more frequent rotation might be in order, eg with "weekly" or "size <bytes>" instead of "monthly". Also, where it is important (eg. for a corporation), an admin might want more than 2 months-worth of login data, eg. "rotate 12" for a whole year, or even "maxage <days>" (the latter being how syslog-ng is configured in SuSE). -- Hypocrisy is the homage vice pays to virtue. -- François de La Rochefoucauld -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Carlos E. R. -
Darryl Gregorash -
John Andersen -
Jos van Kan